1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Do I need to have a SINGLE major risk?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Niko90, Apr 10, 2017.

  1. Niko90

    Niko90 Member

    Joined:
    Oct 12, 2016
    Messages:
    7
    Likes Received:
    2
    Trophy Points:
    2
    Location:
    Tagaytay, Philippines
    Greetings!

    Just last week, we underwent the first stage audit with our CB. To determine the actions to address risks and opportunities, we used a matrix that lists down all the steps of a procedure, its requirement/s, the corresponding risks and opportunities of these requirements and the actions to address them. We also indicated what the planned result should be for these steps. IMHO, doing this would help us make sure that our procedures would be effective. Here's the thing though, one of the auditors from our CB indicated that one of the risks I should have explicitly stated is that our process (which is about providing info to clients through various means) may not be effective. It seems the auditor wants me to identify a single major risk. I can't buy into this idea because when we were indicating the actions in this matrix, the main goal is for our process to be effective by addressing risks/opportunities. Thus addressing risks, effectiveness and achieving intended results are 'peppered' throughout this matrix.
    I would like to hear everyone's thoughts on this. Thank you.
     
    Last edited: Apr 10, 2017
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,285
    Likes Received:
    2,631
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Your auditor is WRONG! All you are required to demonstrate is "risk based thinking". If you understand the context of the organization, your organization's interested parties and their needs, through something like a SWOT analysis, then addressing the weaknesses and threats, can be used to demonstrate you recognize risks and you address them in your planning - take for example an aging workforce. If you plan on creating an apprenticeship scheme to bring entry level people up to some level of skill you can't recruit replacements who already posses those skills, THATS demonstrating RBT.

    Your auditor is incompetent. Take a look at ISO/TS 9002.
     
  3. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    723
    Trophy Points:
    112
    Location:
    USA
    I don't understand the single major risk idea, as all processes are expected to have had risk (effect of uncertainty) defined and they could be very different from each other.
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,285
    Likes Received:
    2,631
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    and it's not just about process risks...
     
  5. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    723
    Trophy Points:
    112
    Location:
    USA
    Yes, that's right.
     
  6. Randy A. Kaczynski

    Randy A. Kaczynski Member

    Joined:
    Aug 3, 2015
    Messages:
    16
    Likes Received:
    10
    Trophy Points:
    2
    I disagree with the prior statement --- All you are required to demonstrate is "risk based thinking".
    The requirements are in 6.1 (Actions to address risks and opportunities).
    • determine the risks and opportunities
    • plan actions to address these risks and opportunities
    • integrate and implement the actions into its QMS processes
    • evaluate the effectiveness of these actions




     
  7. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    723
    Trophy Points:
    112
    Location:
    USA
    Randy, let's not forget that one of the management review inputs is (e) effectiveness of actions to address risks and opportunities. How to demonstrate that?
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,285
    Likes Received:
    2,631
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Isn't this "risk based thinking" Randy? Can't the requirements be addressed by leadership discussing this and not having procedures, risk records or a specific tool (FMEA etc) to document it?
     
  9. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,355
    Likes Received:
    1,060
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Auditors should refrain from being presumptuous. If an organization opted to use RBT tools where they are comfortable with, they should not dictate how their preferred tools are to be used.

    Niko90's intention in using their tool is clear to him - that's why he said:
    Why should an auditor demand a single major risk, when Niko90 clarified this to the auditor:
    Most of the items mentioned by Randy were covered, except the last statement (i.e. evaluation of effectiveness of actions taken to address risks/opportunities).
     
  10. Randy A. Kaczynski

    Randy A. Kaczynski Member

    Joined:
    Aug 3, 2015
    Messages:
    16
    Likes Received:
    10
    Trophy Points:
    2
    If you want to comply with ISO 9001:2015 and demonstrate RBT, just follow the 6.1 requirements. 'Nuff said! ;)